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13  ABSTRACT  200  words': 

Under  grant  AFOSR-91-0354  we  have  investigated  event-based  specification  and  constraint 
language  extensions  of  our  Rapide  prototyping  language.  We  have  also  investigated  testing 
methods  and  tools  for  detecting  constraint  violations  in  simulations  of  distributed 
time-sensitive  avionics  systems  and  control  systems.  Rapide  models  the  behavior  of  a 
distributed  system  by  generating  causal  event  simulations.  A  causal  event  simulation  is  a 
timed  poset  (partially  ordered  set  of  events  with  timing).  Dependencies  between  events  as 
well  as  their  timing  are  captured  in  the  poset  execution  model,  thus  providing  a  more 
detailed  and  precise  picture  of  the  behavior  of  a  realtime,  distributed  system  than  current 
simulation  technolog}'  based  upon  sequential  traces  of  events.  Resets  allow  more  powerful 
constraint  specifications  than  traces,  e.g.,  asynchronous  behavior.  This  work  has  developed 
(i)  basic  algorithms  for  implementing  poset  computations,  (ii)  a  constraint  language  for 
specifying  behavior  in  terms  of  posets,  and  (iii)  automatable  algorithms  and  tool-set  for 
detecting  constraint  violations  in  posets.  To  establish  the  feasibility  of  scaling  this 
simulation  technology  to  practical  avionics  examples,  have  applied  the  technology  to 
developing  high  level  systems  architectures  of  avionics  systems.  We  have  also  applied 
constraint  monitoring  of  the  avionics  simulations  to  detect  design  errors .  The  avionics 
systems  studied  include  the  IBM  ADAGE  helicopter  avionics  system  architecture,  and  a  high 
level  architecture  of  the  Boeing  DARTS  system  for  building  flight  simulators. 
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1  Abstract 


Under  AFOSR  grant  91-0354A  we  have  investigated  event-based  specification  languages  that  can 
be  positioned  as  constraint  language  extensions  of  our  Rapide  prototyping  language.  We  have  also 
investigated  testing  methods  based  upon  tools  for  detecting  constraint  violations  in  simulations 
of  distributed  time-sensitive  avionics  systems  and  control  systems.  Rapide  models  the  behavior 
of  a  distributed  system  by  generating  causal  event  simulations  of  such  systems.  A  causal  event 
simulation  is  a  timed  poset  (partially  ordered  set  of  events  with  timing).  Dependencies  between 
events  as  well  as  their  timing  are  captured  in  the  poset  execution  model,  thus  providing  a  more 
detailed  and  precise  picture  of  the  behavior  of  a  realtime,  distributed  system  than  current  simu¬ 
lation  technology  based  upon  sequential  traces  of  events.  Posets  allow  more  powerful  constraint 
specifications  of,  e.g.,  asynchronous  behavior,  than  traces.  This  work  has  developed  (i)  basic  algo¬ 
rithms  for  implementing  poset  computations,  (ii)  a  constraint  language  for  specifying  behavior  in 
terms  of  posets,  and  (Hi)  automatable  algorithms  and  tool-set  for  detecting  constraint  violations 
in  posets  produced  by  Rapide  simulations.  To  establish  the  feasibility  of  scaling  this  simulation 
technology  to  practical  avionics  examples,  we  have  applied  it  to  developing  high  level  system  ar¬ 
chitectures  of  avionics  systems  in  Rapide,  and  applying  constraint  monitoring  to  simulations  of 
these  architectures  to  detect  design  errors.  The  avionics  systems  studied  include  IBM  ADAGE 
helicopter  avionics  system  architecture,  and  a  high  level  architecture  of  the  Boeing  DARTS  system 
for  building  flight  simulators. 


2  Introduction 


19950413  079 


Evolutionary  prototyping  is  an  emerging  technology  for  integrating  rigorous  systems  design  methods 
with  highly  accurate  behavioral  analysis  methods  throughout  the  system  development  process. 
Rigorous  design  methods  can  be  founded  upon,  for  example,  the  use  of  formal  specifications,  which 
by  and  large  are  not  used  in  current  practice.  Accurate  analysis  methods  require  a  foundational 
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basis  of  rnoro  dotailsd  and  precise  models  of  timed  distributed  computation  than  are  currently  used. 
But  above  all,  evolutionary  prototyping  is  focussed  on  the  need  to  integrate  design  and  analysis 
throughout  the  development  of  a  system  in  a  very  tightly  coupled,  fine-grain  process.  This  is  in 
direct  contrast  with  current  systems  development  technology  which  separates  design  and  analysis 
into  distinct  phases,  often  resulting  in  large  and  costly  redesign  efforts. 

To  ensure  relevance  and  applicability,  our  research  has  developed  constraint-based  specification 
languages  and  analysis  methods  to  support  current,  on-going  projects  in  prototyping  distributed, 
time-sensitive  systems.  The  subject  projects  chosen  to  study  applicability  of  our  work  include  the 
Stanford/TRW  ARPA  Prototech  project,  avionics  and  control  architectures  from  two  of  the  ARPA 
DSSA  projects,  and  the  Boeing  DARTS  system. 

The  Rapide  prototyping  language  design  is  based  upon  the  model  of  a  distributed  computation  as 
a  partially  ordered  set  of  events  with  timing  measures  (Timed  Poset).  This  is  the  Rapide  execution 
model  adopted  in  the  Stanford/TRW  Prototech  project  [1].  This  model  has  already  been  shown 
to  provide  significantly  more  information  for  analysis  of  system  behavior  than  the  commonly  used 
linear  trace  model.  Also,  our  work  on  this  project  in  analysis  tools  [9]  shows  that  this  information, 
although  complex,  can  be  organized  for  processing  by  automated  tools  such  as  error  checkers  and 
graphical  depiction  tools. 

This  research  effort  under  AFOSR  grant  Grant-91-0354A  has  accomplished  the  following  goals: 


1.  development  of  basic  algorithms  for  implementing  poset  computations, 

2.  design  of  a  constraint  language  for  specifying  system  behavior  in  terms  of  posets.  This 
constraint  language  has  the  properties  that 

•  the  constraints  are  powerful  enough  to  express  many  critical  properties  of  avionics  system 
architectures,  including  communication  protocols  and  timing  behavior, 

•  violations  of  the  constraints  in  poset  simulations  can  be  detected  by  simple  algorithms 
at  runtime. 

3.  implementation  of  a  pilot  tool-set,  extending  the  Rapide  simulator  tools,  for  detecting  con¬ 
straint  violations  in  posets  produced  by  Rapide  simulations. 

4.  demonstration  of  feasibility  of  scaling  this  simulation  technology  to  practical  avionics  exam¬ 
ples.  We  have  represented  high  level  functional  architectures  of  avionics  systems  in  Rapide 
and  applied  constraint  monitoring  to  Rapide  simulations  of  these  architectures  to  detect  de¬ 
sign  errors.  The  avionics  systems  studied  include 

•  IBM  ADAGE  helicopter  avionics  system  architecture,  and 

•  a  high  level  architecture  of  the  Boeing  DARTS  system  for  building  flight  simulators. 
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These  accomplishments  over  the  lifetime  of  the  AFOSR  grant  establish  that  we  have  achieved  our 
original  goals  of  the  project,  which  were  to  :  (i)  develop  accurate  simulations  of  distributed  time 
sensitive  computations,  perhaps  improving  upon  the  timed  poset  model,  and  algorithms  for  con¬ 
structing  such  simulations  by  executing  architectural  models,  (ii)  design  a  language  for  specifying 
systems  in  terms  of  the  timed  poset  model  of  their  behaviors,  and  (Hi)  implement  and  test  the 
scalability  of  analytical  tools  for  applying  constraint  specifications  to  analysis  of  avionics  system 
architectures  expressed  in  Rapide. 


3  Context  of  the  Overall  Effort 


Rapide  is  an  executable  ADL.  Its  purpose  is  (i)  to  study  and  develop  a  foundational  theory  of  dis¬ 
tributed  system  architectures,  and  (ii)  to  design  language  constructs  for  expressing  architecture  in 
an  executable  form  to  enable  early  prototyping  of  systems  designs.  Rapide  supports  execution  and 
analysis  of  system  architectures  using  the  timed  poset  execution  model  for  distributed/ concurrent 
systems.  The  advantage  of  timed  posets  over  timed  linear  traces  is  that  they  capture  not  only 
the  time  at  which  events  happen,  but  also  dependency  between  events  (i.e.,  which  events  caused 
which  other  events  to  happen,  and  which  events  happened  independently).  This  model  is  actually 
constructed  when  a  prototype  of  a  system  is  executed  in  the  Rapide  prototyping  language  [1]. 
Algorithms  to  do  this  have  been  implemented  that  optimize  techniques  due  to  Fidge  [2].  Similar 
models  can  be  implemented  for  Ada  systems  following  our  previous  work  on  TSL. 

The  design  of  Rapide  uses  event-pattern  concepts  from  the  TSL  (specification  language  for  Ada 
tasking)  and  VAL  (specification  language  for  VHDL)  specification  languages  which  were  developed 
under  our  previous  AFOSR  grants.  Over  the  period  of  this  AFOSR  grant  we  have  developed  analysis 
algorithms  for  checking  event  pattern  constraints  for  consistency  with  timed  poset  executions.  This 
provides  the  foundation  for  an  automated  capability  to  check  the  behavior  of  prototype  distributed 
systems  at  runtime  for  violations  of  specifications. 


3.1  Distributed  Execution  Models 

Over  the  past  four  years  our  work  has  demonstrated  the  feasibility  of  implementing  languages  that 
generate  posets. 

A  number  of  open  questions  about  models  of  distributed  realtime  computations  remain.  These 
have  to  do  with  the  possibility  of  constructing  even  more  accurate  models,  and  the  scalability  of 
current  modelling  technology  to  handle  very  large  systems.  Our  work  under  this  AFOSR  grant  was 
aimed  at  investigating  such  issues,  for  example  : 
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•  Implementation  algorithms  for  scalability  to  lOK  concurrency. 

Fundamental  questions  of  scalability  of  the  current  implementation  algorithm  from  a  capa¬ 
bility  to  deal  with  systems  involving  a  hundred  concurrent  threads  of  control  to  systems  with 
many  thousands  of  threads  remain  open.  We  have  improved  existing  algorithms  to  handle 
2K  events  per  second  in  models  of  highly  concurrent  systems. 

•  Models  of  widely  distributed  Local  Time 

All  applications  of  timed  poset  models  that  we  have  investigated  so  far  model  systems  con¬ 
taining  a  single  global  clock.  All  components  of  such  systems,  no  matter  how  far  apart,  can 
read  the  same  clock.  Although  our  current  timed  posets  can  model  widely  distributed  timed 
systems,  such  as  the  Internet  where  each  net  node  has  its  own  local  clock,  we  have  not  yet 
studied  models  that  make  essential  use  of  this  facility.  Examples  to  be  studied  are  satellite 
communication  systems.  We  have  not  yet  been  able  to  initiate  a  research  effort  to  study 
this  problem  in  detail,  although  the  Rapide  LRMs  do  provide  a  design  for  distribnted  local 
clocks. 


3.2  Constraint-Based  Specification  Language  Design 

Specifications  of  a  highly  parallel  system  can  be  given  in  terms  of  the  timed  poset  model.  To  do 
this,  the  required  behaviors  (timed  posets)  of  the  system  are  specified  by  means  of  constraints 
bounding  the  allowable  variations  of  behavior.  In  general,  such  specifications  define  patterns  of 
dependency,  concurrency,  synchronization,  and  timing  between  the  sets  of  events  that  the  system 
produces  when  it  executes.  Quite  often,  the  specified  activity  is  dependent  on  the  state  of  the 
system,  and  also  it  is  common  to  have  many  events  that  are  irrelevant  to  a  particular  behavior. 
Accurate  specifications  must  therefore  refer  to  patterns  of  events,  state  context,  and  be  capable  of 
hiding  (or  abstracting)  unnecessary  details. 

A  critical  step  in  the  development  of  Rapide  technology  is  the  design  of  a  powerful  abstract  interface 
specification  language  based  on  poset  executions.  This  is  important  in  providing  a  capability  to 
specify  interfaces  of  components  in  a  large  distributed  system,  particularly  enabling  the  application 
of  object-oriented  methods  to  such  specifications. 

During  the  period  of  this  AFOSR  grant  we  able  to  design  a  constraint-based  specification  language 
to  fit  with  Rapide  that  provided  several  of  the  desired  features  :  (i)  relational  operators  (e.g., 
immediately  relevant,  dependent,  parallel,  time  relation),  (ii)  subcomputation  templates  (e.g.,  pat¬ 
terns  of  events),  (lii)  state  context  (e.g.,  use  of  abstract  data  types  as  state  specifications),  (iv) 
hiding  (e.g.,  filters  for  excluding  irrelevant  events). 

However,  only  a  subset  of  this  language  has  been  implemented  in  the  constraint  violation  detection 
tools.  This  subset  is  indeed  powerful  enough  to  express  many  system  specifications.  But  many 
practical  issues  surrounding  complexity  of  checking  algorithms  for  constraint  on  posets  remain  to 
be  investigated. 
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3.3  Specification  of  Distributed  Timed  Computations 

Specifying  timing  behavior  has  proven  to  be  one  of  the  most  difficult  aspects  in  the  description  of 
real-time  systems.  The  different  views  of  time  espoused  by  systems  to  date  can  be  classified  into  at 
least  three  groups.  Although  the  placement  of  a  particular  language  into  one  group  is  sometimes 
debatable,  the  classes  are  still  useful  for  organizing  the  various  views  of  time. 

We  have  already  developed  a  simple  global  timing  model  for  a  preliminary  implementation  of 
Rapide.  This  allows  posets  of  events  to  be  produced  by  prototypes  in  which  the  events  are 
assigned  timestamps  and  timing  intervals.  Thus,  events  that  overlap  in  time  can  be  represented  in 
timed  poset  models. 

Some  of  the  goals  we  planned  to  attempt  under  the  present  AFOSR  investigation  into  timing 
specifications  of  distributed  time-critical  systems  were  only  partially  attempted  due  to  time  and 
resource  limitations.  Some  remaining  issues  are  : 


1.  Develop  a  set  of  benchmark  timing  examples  which  capture  the  different  facets  of  time  in  the 
modelling  of  time-critical  distributed  systems. 

2.  Evaluate  different  timing  specification  languages  for  applicability  to  modeling  distributed 
systems  with  multiple  clocks. 

3.  Formulate  a  timing  specification  language,  possibly  based  on  an  existing  language,  suitable 
for  modeling  distributed  systems  with  multiple  clocks. 

3.4  Constraint  Checking  Algorithms 

We  have  implemented  constraint  checkers  for  a  constraint-based  Rapide  Specification  Language. 
These  tools  allow  runtime  checking  of  event  pattern  constraint  on  posets.  They  have  been  used  in 
conjunction  with  Rapide  analysis  tools  such  as  the  Poset  Browser,  and  have  been  tested  on  many 
examples  developed  both  within  and  outside  our  research  group.  These  examples  include  the  IBM 
avionics  system  which  is  one  of  the  ARPA  DSSA  benchmark  system  architectures.  Much  further 
research  into  practical  runtime  violation  detection  algorithms  for  even  more  powerful  constraints  is 
still  needed. 


4  Results  Achieved  and  Technology  Impact 


Previous  annual  reports  have  described  the  progress  and  impact  of  this  project  in  prior  years. 
During  the  past  year,  the  main  thrusts  of  this  AFOSR  project  have  been: 
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•  (i)  integration  of  a  constraint  language  into  the  Rapide  simulation  language. 

•  (ii )  completion  of  the  constraint  checking  tool,  and  its  integration  with  the  Rapide  compiler 
and  runtime  simulation  scheduler. 

•  (ill)  completion  of  a  feasibility  study  to  apply  constraint  checking  to  Rapide  simulations 
of  industrial-scale  avionics  problems,  including  ADAGE,  and  DARTS,  as  well  as  to  other 
systems  including  AEGIS,  SPARC  V9,  and  X/Open  DTP  [11,  5]. 


This  work  carried  out  under  our  AFOSR  grant  has  had  a  critical  impact  on  our  Rapide  technology 
development  and  studies  aimed  at  establishing  scalability  to  industrial  size  systems  and  finally, 
transition  to  industry.  The  constraint  language  checker  is  now  an  integral  part  of  the  current 
Rapide  simulation  and  analysis  toolset,  which  is  being  implemented  under  ARPA  contracts  and 
tested  by  TRW  and  other  industry  companies.  The  tools  are  also  been  used  by  outside  users  and 
by  students  in  a  course  on  design  and  prototyping.  The  range  of  applications  that  have  been  the 
subject  of  various  Rapide  studies  include  ; 

•  two  avionics  systems  (ADAGE  and  DARTS), 

•  a  model  of  the  safety  critical  subsystem  of  an  air  traffic  control  system, 

•  a  shared  memory  multiprocessor  [10], 

•  the  super  SPARC  CPU  architecture, 

•  distributed  transaction  management  systems  such  as  X/ Open, 

•  the  Navy’s  AEGIS  weapon  system 

We  have  given  accounts  of  much  of  this  work  in  previous  annual  reports,  particularly  ADAGE. 
However,  the  application  to  DARTS  was  only  initiated  during  FY94,  so  we  give  a  short  overview 
of  this  work  in  the  following  section. 


5  Application  to  the  DARTS  System 


In  the  following  we  give  a  brief  summary  of  our  most  recent  application  to  an  industry  avionics 
system.  This  work  is  ongoing  at  the  time  the  AFOSR  Grant  terminated,  but  had  been  taken  far 
enough  to  provide  good  evidence  of  Rapide  applicability  to  flight  simulator  system  architectures. 
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5.1  Background 


DARTS,  Domain  Architecture  for  Reuse  in  Training  Systems,  is  the  software  architecture/system 
architecture  for  Air  Vehicle  Training  Systems  (AVTS)  developed  by  Boeing’s  Defense  and  Space 
Group. 

The  English  description  of  DARTS,  in  12  volumes  of  documents,  is  ambiguous,  inconsistent,  flat 
and  difficult  to  understand,  which  hinders  the  cost/performance  study  in  application  engineering. 

Boeing  desired  an  executable  model  of  DARTS  that 

1.  Provides  a  compressed  presentation  of  DARTS  system- level  design  out  of  the  presently  exist¬ 
ing  12  volumes  of  documentation. 

2.  Supports  trade  studies  of  DARTS  at  system-level  by  showing  cost  functions  and  performance 
measurements  for  different  designs/configurations/work-load-distributions. 

3.  Helps  answer  two  system-level  questions  very  early  in  application  engineering  process:  Will 
this  design  work  ?  How  does  this  design  compare  with  other  designs  ? 

5.2  Modeling  DARTS  in  Rapide 

Rapide  is  an  executable  architecture  definition  language,  developed  by  Stanford’s  Program  Verifica¬ 
tion  and  Analysis  Group.  Rapide’s  unique  advanced  features  enable  design  engineers  to  define  their 
target  system’s  architecture  at  different  levels  of  abstraction,  to  execute  the  defined  architecture, 
and  to  check  and  analyze  results  produced  by  the  execution. 

Rapide  modeling  of  DARTS  precisely  addresses  the  problems  of  ambiguity,  inconsistence,  flatness 
and  difficulty  in  understanding  with  the  DARTS  documents. 

The  Rapide  model  of  DARTS  that  was  developed  during  this  effort  provides 

1.  Executable  simulation  of  DARTS  at  the  system-level  (i.e.,  Fundamental  MSS  Partitioning 
level,  in  Boeing’s  jargon). 

2.  Display  of  event  flow  and  timing  relationship  of  DARTS’  Segments,  Subsystem  Controller 
and  Components  in  simulation  execution. 

3.  System-level  performance  measurements  with  different  designs/configurations. 

4.  Assistance  in  cost  estimation.  Once  the  performance  of  different  designs  is  obtained,  cal¬ 
culating  the  cost/performance  would  be  a  simple  optimization  problem  with  tools  such  as 
Mathematica. 
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By  “system-level”  simulation,  we  mean  executing  the  DARTS  model  at  abstract  functional  level, 
i.e.,  the  functions  are  abstracted  such  that  important/relevant  events  and  dependences  can  be  seen 
without  using  the  full  implementation  of  the  functions. 


5.3  Achievements  to  date 

We  have  approached  DARTS  modeling  in  a  top-down  hierarchical  manner. 

We  have  built  our  first  Rapide  model  of  DARTS  at  the  fundamental  MSS  partitioning  level,  which 
is  the  very  high  level  of  abstraction  of  DARTS.  This  model  includes  (1)  the  Global  Simulation 
Control,  the  MSS  components  and  the  communication  mechanism,  (2)  the  interface  functions  of 
Global  Simulation  Control,  and  the  MSS  components. 

We  have  executed  the  DARTS  model  in  Rapide.  The  execution  simulates  3  phases  of  high-level 
DARTS  system  operation;  initialization,  frame  transmission  and  completion.  The  execution  has 
provided  event  flow  and  dependences  in  visual  form,  which  will  be  used  for  analysis  and  verification. 


5.4  Continuation  of  the  DARTS  Modelling  Study 

At  the  next  level,  our  initial  model  will  be  expanded  to  including  protocols,  timing  estimates, 
throughput  estimates,  and  other  details. 

At  the  third  level,  our  model  at  the  second  level  will  be  further  expanded  and  may  provide  (1)  high- 
level  description  of  all  functions  in  Module  Executives,  Segment  Executives,  Subsystem  Controllers 
and  Components,  (2)  the  protocols  of  communications  between  Module  Executives,  Segment  Ex¬ 
ecutives,  Subsystem  Controllers  and  Components,  (3)  Sample  but  complete  simulation  frames,  and 
(4)  a  scenario  that  explains  how  all  segments  react  to  some  typical  situations  (encoded  in  frames) 
and  collaborate  to  carry  out  tasks. 


6  Conclusions 


This  work  carried  out  under  AFOSR  grant  Grant-91-0354A  has  had  a  critical  impact  on  our 
Rapide  technology  development  and  studies  aimed  at  establishing  scalability  to  industrial  size 
systems  and  finally,  transition  to  industry.  The  constraint  language  checker  is  now  an  integral  part 
of  the  current  Rapide  simulation  and  analysis  toolset,  which  is  being  implemented  under  ARPA 
contracts  and  tested  by  TRW  and  other  industry  companies.  The  tools  are  also  been  used  by 
outside  users  and  by  students  in  a  course  on  design  and  prototyping.  The  range  of  applications 
that  have  been  the  subject  of  various  Rapide  studies  include  : 
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•  two  avionics  systems  (ADAGE  and  DARTS), 

•  a  model  of  the  safety  critical  subsystem  of  an  air  traffic  control  system, 

•  a  shared  memory  multiprocessor  [10], 

•  the  super  SPARC  CPU  architecture, 

•  distributed  transaction  management  systems  such  as  X/Open, 

•  the  Navy’s  AEGIS  weapon  system 


7  List  of  Publications  Under  AFOSR  grant  Grant-91-0354A 

1.  Luckham,  D.C.,  Vera,  J.,  Bryan,  D.,  Augustin,  L.M.,  and  Belz,  F.,  “Partid  Orderings  of 
Event  Sets  and  Their  Application  to  Prototyping  Concurrent  Timed  Systems”,  in  proceedings 
of  DARPA  Software  Technology  Conference,  Los  Angeles,  California,  pages  443-457,  April 

28-30,  1992. 

2.  Mitchell,  J.C.,  Katiyar,  D.,  Luckham,  D.C.,  Madhav,  N.,  Meldal,  S.,  and  Sankar,  S.,  “Sub¬ 
typing,  Assignment  and  Cloning  in  a  Concurrent  Object-Oriented  Language.”,  in  pro^ceedings 
of  DARPA  Software  Technology  Conference,  Los  Angeles,  California,  pages  458-470,  April 
28-30,  1992. 

3.  Lnckham,  D.C.,  Sankar,  S.,  Mann,  W.,  and  Goyal,  A.,  “Anna  -  A  Language  For  Specifying 
Ada  Programs”,  in  proceedings  of  DARPA  Software  Technology  Conference,  Los  Angeles, 
California,  pages  498-501,  April  28-30,  1992. 

4.  Luckham,  D.C.,  Vera,  J.,  Bryan,  D.,  Augnstin,  L.,  and  Belz,  F.,  “Partial  orderings  of  event 
sets  and  their  application  to  prototyping  concurrent  timed  systems”,  Computer  Systems  Lab¬ 
oratory  Technical  Report  CSL-TR-92-515,  (PAVG  No.  59),  April,  1992. 

5.  1992  ACM/IEEE  Best  Paper  Award, 

Gennart,  Benoit  A.,  and  Luckham,  David  C.,  “Validating  Discrete  Event  Simulations  Using 
Event  Pattern  Mappings”,  Proceedings  of  the  29th  ACM/IEEE  Design  Automation  Confer¬ 
ence,  Anaheim,  California,  pages  414-419,  June  8  -  12,  1992. 

6.  Luckham,  D.C.,  Vera,  J.,  Bryan  D.,  Augustin  L.M.,  and  Belz  F.,  “Partial  Orderings  of  Event 
Sets  and  Their  Application  to  Prototyping  Concurrent  Timed  Systems”,  Journal  of  Systems 
and  Software,  Elsevier  Press,  New  York,  special  issue  on  applying  specification,  verification, 
and  validation  techniques  to  industrial  software  systems,  Vol  21(3)  pp. 251-265,  June,  1993. 

7.  Madhav,  N.,  “Correctness  and  Error  Detection  in  a  Model  of  Distributed  Program  Execu¬ 
tions”,  Computer  Systems  Laboratory  Technical  Report  CSL-TR-93-578,  (PAVG  No.  65), 
September,  1993. 
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8.  Mann,  W.,  Belz,  F.C.,  and  Corneil,  R,  “A  Rapide  1.0  Definition  of  the  ADAGE  Avionics 
System”,  Computer  Systems  Laboratory  Technical  Report  CSL-TR-93-585,  (PAVG  No.  66), 
November,  1993. 

9.  Katiyar,  D.,  Luckham,  D.C.,  Mitchell  J.,  and  Meldal,  S.,  “Polymorphism  and  Subtyping  in 
Interfaces.  ”,  in  proceedings  of  ACM  Workshop  on  Interface  Definition  Languages,  pages  22- 
34,  January  20th. ,1994. 

10.  Katiyar,  D.,  Luckham,  D.C.,  and  Mitchell  J.,  “A  Type  System  for  Prototyping  Languages.”, 
in  proceedings  of  21st  ACM  Symp.  on  Principles  of  Programming  Languages,  page  138-150, 
January  17-19th.,  1994.  Also  Computer  Systems  Laboratory  Technical  Report  CSL-TR-94- 
603,  (PAVG  No.  67),  January,  1994. 

11.  Luckham,  D.C.,  Augustin,  L.M.,  Kenney,  J.J.,  Vera,  J.,  Bryan,  D.,  and  Mann,  W.,  “Speci¬ 
fication  and  Analysis  of  System  Architecture  Using  Rapide.  ”,  Computer  Systems  Laboratory 
Technical  Report  CSL-TR-94-608,  (PAVG  No.  68),  April,  1994  and  to  be  appeared  in  IEEE 
Transactions  on  Software  Engineering  Special  Issue  on  Software  Architecture,  1995. 

12.  Luckham,  D.C.,  Vera,  J.,  “An  Event-Based  Architecture  Definition  Language”,  will  be  pub¬ 
lished  in  IEEE- Transactions  on  Software  Engineering,  1995. 
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